Description
A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. Impacted is an unknown function of the file /admin/mod_room/index.php?view=edit. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used.
Published: 2026-03-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection leading to unauthorized database access and potential data breach
Action: Immediate Patch
AI Analysis

Impact

A flaw exists in the admin room editing page of itsourcecode Free Hotel Reservation System 1.0, specifically the /admin/mod_room/index.php?view=edit endpoint. Manipulating the ID argument allows an attacker to perform a SQL injection, potentially exposing, altering, or deleting data stored in the reservation database. The vulnerability is remote and has a published proof‑of‑concept, indicating that attackers can trigger it from an external network.

Affected Systems

Only Free Hotel Reservation System version 1.0 is confirmed affected. The vulnerability affects the admin/mod_room/index.php file, particularly the edit view. Users deploying this version should inspect their installations for the mentioned endpoint and version.

Risk and Exploitability

The CVSS score of 5.3 represents medium severity, while an EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the vulnerability can be triggered remotely, but the details on whether authentication or specific user privileges are required are not specified. The presence of a published exploit suggests a realistic threat, particularly for sites with exposed administrative interfaces.

Generated by OpenCVE AI on March 28, 2026 at 06:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or upgrade to a newer version of Free Hotel Reservation System if available
  • Restrict external access to /admin/mod_room/index.php to trusted IP addresses or VPN connections
  • Implement input validation and use prepared statements or parameterized queries to avoid direct query concatenation
  • Enable logging of database activity and monitor for anomalous queries
  • Conduct regular vulnerability scans or penetration tests on administrative functions

Generated by OpenCVE AI on March 28, 2026 at 06:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. Impacted is an unknown function of the file /admin/mod_room/index.php?view=edit. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. If you want to get the best quality for vulnerability data then you always have to consider VulDB. A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. Impacted is an unknown function of the file /admin/mod_room/index.php?view=edit. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used.
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. Impacted is an unknown function of the file /admin/mod_room/index.php?view=edit. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Title itsourcecode Free Hotel Reservation System index.php sql injection
First Time appeared Itsourcecode
Itsourcecode free Hotel Reservation System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:itsourcecode:free_hotel_reservation_system:*:*:*:*:*:*:*:*
Vendors & Products Itsourcecode
Itsourcecode free Hotel Reservation System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Itsourcecode Free Hotel Reservation System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-27T22:08:05.053Z

Reserved: 2026-03-27T08:26:57.746Z

Link: CVE-2026-4966

cve-icon Vulnrichment

Updated: 2026-03-27T19:30:05.415Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T18:16:06.810

Modified: 2026-03-30T13:26:29.793

Link: CVE-2026-4966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:01:05Z

Weaknesses